The United States Needs a New Way to Think About Cyber
Published by The Lawfare Institute
in Cooperation With
Editor’s Note: The United States often treats foreign cyberattacks on U.S. infrastructure more as an annoyance than a threat. Such a complacent approach risks disaster. My colleague at the Center for Strategic and International Studies, Emily Harding, examines two recent cyber incidents, one by Iran and the other by China, and argues that the United States needs a more forceful approach.
Daniel Byman
***
The end of 2023 was marked by two major cyberattacks—one by a terrorist group and the other by a global power, and both targeting U.S. water and power supplies. These audacious attacks are indicative of a shift to a new, more dangerous phase of cyberwarfare, in which adversaries target critical infrastructure and imperil civilian lives. Yet, even though these adversaries have shifted their strategies, the United States has not. To respond effectively and create some modicum of deterrence, U.S. policymakers must rethink how they see cyber as an element of state power.
The two cyber hacks were remarkable. In November, a designated terrorist group that is also the covert action arm of the Iranian government, the Islamic Revolutionary Guard Corps (IRGC), attacked U.S. water plants. The stated target was an Israeli company that makes software for control systems, and the attack was meant to be retaliation for the war in Gaza. While the intent was to embarrass Israel, the facts are undeniable: A terrorist group attempted to impair water delivery to civilians in the United States.
Also at the end of the year, the National Security Agency and cybersecurity researchers raised renewed alarm about China’s Volt Typhoon group, which continues to burrow stealthily into U.S. water, power, and port systems. Put bluntly, this access could give Beijing the capability to severely disrupt daily life, particularly around the U.S. military bases that would serve as the launching pads for U.S. troops in a Pacific fight, like the 14 bases in Hawaii or the more than 30 in California, including Naval Base Coronado, West Coast home of the Navy SEALs.
These two egregious violations received little attention because they were cyberattacks, and “cyber” has been shunted into a silo of what tech people do behind the scenes. It’s separate, “technical,” and an afterthought, not an integrated tool of modern foreign policy. This mindset is a strategic mistake. While U.S. policymakers silo themselves, their adversaries are aggressively pursuing an integrated strategy. The U.S. government has no hope of deterring, defending, and responding unless it begins to integrate cyber offense and defense into its own national security strategy.
The IRGC’s Noisy Message
On Nov. 25, 2023, an IRGC hacking group took over part of the Aliquippa, Pennsylvania, water utility. The cyberattack forced workers to shut down a station that regulates water pressure. Staff at the facility switched to manual pumping, which prevented a breakdown in water supply for two towns near Pittsburgh.
How on earth did a small-town water system in Pennsylvania become an Iranian target? Aliquippa used an Israeli software package to control some of their operations, and the IRGC decided that made a small-town water utility—and a host of other entities—legitimate targets. These Israeli-made programmable logic controllers run a variety of processes around the country, including in water and wastewater systems, food and beverage manufacturing, energy, and health care. Other unlucky victims “spanned multiple U.S. states,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
China's Operational Preparation of the Environment
The NSA’s Cybersecurity Collaboration Center issued an urgent warning in November: China had redoubled its efforts to establish persistence in the computer networks supporting U.S. critical infrastructure. The new effort involved sneakier tactics, but the targets remained the same: power, water, and ports. Volt Typhoon is affiliated with the Chinese Communist Party’s People’s Liberation Army (PLA). Its victims have included a water utility in Hawaii, a major West Coast port, and at least one oil and gas pipeline, and the group also attempted to target Texas’s power grid, according to the Washington Post. These attacks follow on the heels of an attack revealed in May on various targets in Guam, including telecommunications infrastructure. Over at least the last year, Volt Typhoon has gained access to about two dozen entities. To hide their efforts, they used “living off the land” tactics, which make malicious code appear normal, used compromised home and office routers as vectors for the attacks, and hid their tracks by clearing logs.
In contrast to Tehran’s noisy political statement, Beijing sought operational preparation of the environment. In other words, they are preparing to disrupt life in the United States and distract Washington in the event of a conflict. While Iran was looking to make noise, China is attempting to lie in wait. Volt Typhoon’s focus on the West Coast and Hawaii is telling. It indicates that China is attempting to disrupt INDOPACOM and the functioning of its main bases. Brandon Wales, executive director of CISA, said, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict.” Cisco’s director of threat intelligence, Matthew Olney, told Reuters in May that the intrusion looked like sabotage preparation. “We definitely had alarm bells going off,” he said.
The Wrong Mindset
A designated terrorist entity successfully invaded water facilities and a rising adversary prepared to harm civilians in the event of a war, yet there was a limited policy response and even less general outrage. Why? For starters, the consequences of the attacks were limited—this time. The IRGC’s intent was malicious, but not deadly. Its limited objective was to disrupt and make a statement. The Chinese efforts were far more sophisticated but held in reserve for a future contingency. The harm was latent, not clear and present.
However, there is another, and more troubling, explanation for why these headlines were absent. Most foreign policy experts have implicitly placed cyber into a separate category from other tools of warfare and statecraft. Cyber is “technical stuff,” the IT team’s job, or an afterthought in defensive planning. In the classic DIME framework for the tools of state power (diplomacy, information, military, economy), there is no C for cyber. Information is sometimes awkwardly stretched to include warfare that takes place on information systems, but that shoehorn does not accommodate what has occurred in Ukraine or is coming from Iran or China.
This siloed mindset is dangerous, and in an all-out war, it could be deadly. Iran has not yet risen to China’s level of sophistication in the cyber realm, but it is working hard to get there. Iranian proxies and the United States are confronting each other after the Oct. 7, 2023, attacks, and this could prompt a far more aggressive Iranian approach to cyberattacks. With regard to China’s attacks, security firms likely found only a small percentage of embedded Chinese code. Imagine that the United States finds itself needing to deploy rapidly to defend an ally in the Pacific, but the base on Guam has no power, Hawaii’s traffic system is haywire and water systems are nonfunctional, and unexplained blackouts in Texas require intervention from the Federal Emergency Management Agency and the president’s attention.
This scenario is not a stretch—Russia has carried out similar activity in Ukraine. The difference was that Ukraine was ready. They have learned from enduring Russian cyberattacks on critical infrastructure for the better part of a decade and have worked to diversify their internet connectivity, pull in assistance from the best security researchers around the globe, and make their systems highly resilient. That’s a stark contrast to progress the United States has made toward similar goals. For example, CISA reported that the victims of the Iranian attack had connected systems to the internet without changing default passwords. The United States has a long way to go to resilience.
Default to the Status Quo Ante
The U.S. government’s main public response to these two incidents was education—CISA warned potentially affected entities and, once again, encouraged them to patch and implement basic defenses. This is the normal pattern: An attack happens in the cyber domain, and the response is technical fixes and asking affected entities to defend themselves. Cyberattacks are treated as more akin to slow-moving natural disasters than armed conflict. The default setting is that a cyberattack will naturally deescalate and resolve without much fuss.
Recent scholarly work argues that escalation in the cyber domain is inherently self-limiting. For structural reasons, cyber operations are inherently low level and deescalatory. First, cyber conflict has been slow because finding a vulnerability in a system, crafting an exploit for that vulnerability, and waiting for the opportune moment to deploy it all take time. Attributing an attack to a specific party—particularly a state actor looking to conceal its tracks via a proxy—can also be time consuming, if it happens at all. By the time most states have confidently identified and attributed an attack, and then crafted response options, the outrage and urgency have dissipated.
In addition, cyberattacks rarely kill or maim, and they only occasionally cause physical damage. Even destructive attacks tend to damage just computers—expensive to replace, but more annoying than injurious. The goal of much cyber activity has been espionage, which is as old as time, and while the cyber domain is a rich new venue to exploit, the rules of the game are fairly clear. Espionage rarely leads to conflict.
However, the theory of deescalatory cyber depends on certain assumptions that may be increasingly tenuous. First, the speed: AI-enabled cyber offense and defense will dramatically accelerate the process of finding and exploiting vulnerabilities. Second, espionage and sabotage look remarkably similar from a network administrator’s perspective. Misinterpreting intent can lead to vast under- or overreaction. Finally, states such as Iran and China have gotten bolder in their targeting. An attack on a water plant is certainly a massive step up from a spiteful hit on a casino’s computers—and far more likely to lead to death, which leads to escalation.
Everyone would be better off if cyber operations stayed in the realm of nonviolent, nonescalatory activity. Nations have always needed a way to signal disapproval and spar with each other without coming to blows. But there is no largely agreed-upon code of conduct in the cyber domain, like keeping hands off of critical infrastructure. Attacks like Iran’s and China’s should be viewed as part of a dangerous new phase in cyberwarfare. The U.S. government needs to establish a new framework for conceptualizing and responding to these kinds of attacks.
Establish the Rules: Cyberattacks Are Attacks
The U.S. government should take three steps in order to establish clear rules of the road and set up a system of deterrence. First, the secretary of state or national security adviser should give a speech laying out a declaratory policy with the following key points:
- Cyberattacks are still attacks. If they imperil life, health, or safety, and particularly if they threaten critical infrastructure in a way that could create a mass casualty event, the U.S. government will treat them as they would any other attack on civilians. By way of establishing a parallel, if an artillery shell landed on the Hoover Dam, but failed to detonate, defense planners would not shrug and send in guys with brooms.
- The United States can and will use all elements of state power to effectively defend the homeland against any threat, in any domain. The Department of Defense stated a version of this policy in the context of integrated deterrence, but it is worth a high-level official saying it again. The official should point out that U.S. policy refuses to target civilian critical infrastructure, so a proportional response to a cyberattack on our critical infrastructure would be serious and likely include economic or military measures.
- Intent is far harder to interpret in the cyber domain than elsewhere. As a result, the United States will assume any cyberattack on critical infrastructure has a destructive intent and respond accordingly.
- Correspondingly, friends, foes, and frenemies alike need a way to communicate about cyberattacks. A hotline should be established so that states can communicate if an attack was actually a rogue actor or if the malware in question somehow misfired.
Second, these cyberattacks warrant a response tailored to the act and the actor. Iran’s recent behavior merits a military response. On Jan. 4, the United States struck a senior leader of the Iran-aligned Popular Mobilization Force by way of retaliating for hundreds of recent attacks on U.S. forces. Further steps should explicitly include a link to Iranian cyberattacks on the homeland.
For China, a response in the cyber domain targeted at the PLA is most appropriate, but it should be a response with a clear message. U.S. policy should never be to counter-target civilian populations, so the response should communicate how seriously the United States is taking the attack without responding in kind. Options might include a limited hack and leak of PLA data, like salaries of top-ranking generals or the last vacations they took, playing into Chinese President Xi Jinping’s anti-corruption push. In the non-cyber realm, the U.S. ambassador to the United Nations could give a speech in the Security Council, reflecting the points above but also specifically naming attacks on water and power systems as deeply irresponsible, given the potential effect on innocent civilians.
For Iran, China, and any other actor that might be considering similarly bold attacks, the United States’ priorities should be creating a deterrent and setting clear expectations for norms of behavior in the cyber realm. For example, the Chinese cyber intrusions were meant to be discussed during Biden’s last meeting with Xi, but it didn’t come up during the four-hour meeting. That, in itself, is a signal.
Defense is still quite important. The Iranian attack happened less than a month after the Environmental Protection Agency rescinded a rule requiring water systems to conduct additional cyber health checks. The patchwork U.S. system of water and other utilities may be a strength in some ways, but these entities absolutely must be more responsible about cyber hygiene. Utility companies are suddenly on the front lines, whether they are in Hawaii, Guam, Pennsylvania, or Iowa.
All this requires a shift in mindset. Despite dramatic warnings from groups like the Cyber Solarium Commission, U.S. cyber policies today are marked by complacency. Until and unless the United States embraces cyber activity as a tool of statecraft and warfare, it leaves itself open to assault in this domain.